LDAP Reconnaissance

Performing Reconnaissance using LDAP

STEP 1: Obtain a foothold

Adversaries use a variety of techniques to gain a foothold in an organization’s IT environment, including phishing, watering hole and password spraying attacks. Here is how an adversary who has obtained a list of possible usernames can conduct a password spraying attack using Spray, a bash script made to perform password spray attacks on multiple platforms, against the organization’s virtual private network (VPN) server:

      [attacker@machine ~]$ spray.sh -cisco vpn.org.com usernames.txt passwords.txt 1 35

Valid Credentials joed Summer2020
      

STEP 2: Perform reconnaissance using LDAP

The adversary uses the compromised credentials to authenticate to the VPN and gain network access, and then uses those same credentials to query Active Directory. They can enumerate Active Directory using the ActiveDirectory PowerShell module, or automate the discovery using tools like BloodHound and PowerSploit. In this example, the adversary uses PowerShell to look for possible passwords in users’ description attributes:

      PS> Import-Module ActiveDirectory

PS> Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName

SAMAccountName DescriptionDistinguishedName

-------------- ----------------------------

AlicePassword: P@ssw0rd123!CN=Alice,OU=Users,DC=domain,DC=com

PS>
      

STEP 3: Use information to further objectives

Using the credentials they have found, the adversary conducts further internal reconnaissance using tools like BloodHound and SharpHound, which assist with untangling complex webs of permissions. Using this information, the adversary can map out pathways to objectives, such as domain dominance.

The graphic below illustrates an example. Suppose an attacker gains the credentials for the user account Alice. That account has WriteDACL and WriteOwner permissions to the user Eve, which means Alice can grant herself access to Eve’s account. Eve has rights to reset the password of the account Bob, and Bob has permissions (granted through AdminSDHolder propagation) to modify the Domain Admins group. Therefore, finding Alice’s password was very valuable the adversary!

Result

After collecting data with SharpHound.exe -C All the adversary can load the data set into BloodHound to explore pathways to domain dominance.

Detect, Mitigate and Respond

Detect

Difficulty: Hard

The LDAP protocol is used frequently in Active Directory, so it is difficult to separate malicious queries from legitimate ones. Moreover, Active Directory does not provide a mechanism for logging the exact queries received; however, some degree of profiling and monitoring for access to specific attributes can be achieved using event 4662 in the subcategory Audit Directory Service Access.

Monitoring network traffic received by domain controllers for specific LDAP queries can help you detect adversary activity. The following table shows a small sampling of the kinds of queries that should be infrequent in normal operation but can provide strong signals of adversary activity:

Mitigate

Difficulty: Hard

Because LDAP plays an essential role in normal Active Directory operations, organizations cannot simply block its use. Instead, focus on mitigations that prevent infiltration in the first place: user awareness and training, endpoint compromise detection and response, phishing detection and prevention, email security, multi-factor authentication (MFA), and so on.

Respond

Difficulty: Medium

If LDAP reconnaissance is detected in the environment, activate the incident response process and alert the incident response team.

If an adversary’s presence is confirmed:

• Reset the password and disable the user account performing reconnaissance.
• Quarantine the source computer for forensic investigation and eradication and recovery activities.